Last month, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.” According to Michael Daniel of The White House Blog, this Executive Order directs federal agencies to improve security for critical infrastructure by increasing communication between infrastructure owners and operators, local and state government, and the federal government. In a time when more and more critical services are being controlled or managed via the Internet, Daniel stresses the importance of promoting coordination and communication between agencies.
The Executive Order requires information sharing, a flexible risk-based framework of best practices, and privacy protections. Daniel says the order will provide near real-time sharing of information on cyber threats to critical infrastructure, will direct federal agencies to provide timely notification to companies of cyber-intrusion, and will direct the Department of Homeland Security to expedite the processing of clearances for personnel entitled to sensitive and classified cyber threat information. A recent Presidential Policy Directive (PPD-21) on Critical Infrastructure Security and Resilience, released after the President’s 2013 State of the Union Address, further explains and directs the scope of these anticipated regulations.
The Executive Order defines “critical infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” However, the Presidential Policy Directive identifies sixteen critical infrastructure sectors: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, and water and wastewater systems. The broadly-defined list of target industries could subject a vast array of private businesses to additional regulation. Moreover, because each sector is assigned a federal agency, businesses could be subject to multiple sets of new rules and regulations.
The Executive Order additionally states that it is government policy to “increase the volume, timeliness, and quality of the cyber threat information shared with US private sector entities.” In furtherance of this policy, the Order requires the expedited processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators and the expanded use of private-sector experts to assist the federal government in identifying and addressing potential threats to critical infrastructure.
The Order also includes the possibility of incentives for business participation in the Cybersecurity Program. The accompanying Presidential Policy Directive similarly calls for new incentives targeting the promotion of research and development. However, it remains to be seen whether this “voluntary information sharing program” will develop into mandatory reporting requirements for businesses identified as critical infrastructure.
It is important for businesses to note that the Presidential Policy Directive calls for including audit rights in federal government contracts concerning the sixteen critical infrastructure industries. Therefore, the federal government will have increased authority to inspect the businesses with which it contracts under the auspices of security and resilience of critical infrastructure.
Allen & Gooch is providing this legal update for informational purposes only. This article should not be construed as legal advice or a legal opinion as to any specific facts or circumstances. You should consult your own attorney concerning your particular situation and any specific legal questions you may have.